Integrated method for designing complex cyber-physical systems

Fernando Silvano Gon¸calves

INTEGRATED METHOD FOR DESIGNING COMPLEX CYBER-PHYSICAL SYSTEMS

Florian´opolis 2018

INTEGRATED METHOD FOR DESIGNING COMPLEX CYBER-PHYSICAL SYSTEMS

Tese submetida ao Programa de P´os-Gradua¸c˜ao em Engenharia de Automa¸c˜ao e Sistemas para a obten¸c˜ao do Grau de Doutor em Engenharia de Automa¸c˜ao e Sistemas.

Orientador: Prof. Dr. Leandro Buss Becker - PGEAS - UFSC

Florian´opolis 2018

Gonçalves, Fernando Silvano

Integrated Method for Designing Complex Cyber Physical Systems / Fernando Silvano Gonçalves ; orientador, Leandro Buss Becker, 2018.

175 p.

Tese (doutorado) - Universidade Federal de Santa Catarina, Centro Tecnológico, Programa de Pós Graduação em Engenharia de Automação e Sistemas, Florianópolis, 2018.

Inclui referências.

1. Engenharia de Automação e Sistemas. 2. Projeto de CPS. 3. VANT. 4. Engenharia dirigida por

modelos. 5. Transformação de modelos. I. Becker, Leandro Buss. II. Universidade Federal de Santa Catarina. Programa de Pós-Graduação em Engenharia de Automação e Sistemas. III. Título.

INTEGRATED METHOD FOR DESIGNING COMPLEX

CYBER-PHYSICAL SYSTEMS

Esta Tese foi julgada aprovada para a obtenção do Título de Doutor em Engenharia de Automação e Sistemas", e aprovada em sua forma final pelo Programa de Pós-Graduação em Engenharia de

Automação e Sistemas. 2018 Flor Junior Prof. l)r Laçao

A

Prof. Dr. Leandro Buss Becker - PGEAS - UFSC PGEAS - UFSC

Coordenador do Programa de Pós-Graduação em Engenharia de

Prof. Dr. Eduardo

First of all I would like to thank God, for the gift of life, for giving me wisdom and science, being with me constantly and guiding me in my choices.

I want to thank my lovely family, because without then none of this would be possible. Thank you for your love, attention, and understanding, as well as, for always encouraging and supporting me in my choices, contributing to my personal and professional growth. I give special thanks to my love Katren that despite not always being physically present, has led me doing things that I never imagined. Thank you for being by my side while developing this project and for helping me.

I am grateful for all support from the ProVANT Project members, my friends Gabriel Manoel, Juliano Grigulo, Henrique Misson, Diego Sales, and Rosane Passarini. Thank you for your friendship and support during the writing of this thesis, because without you this work would not be possible.

I would also like to thank my friends, especially Rodrigo Donadel, Martin Bloedorn, Vinicius Stramosk, Gabriel Fernandes, and Richard Andrade, for your support to make this to make this thesis possible, and the text easier to read. Thanks for the friendship started at the Federal University of Santa Catarina (UFSC) and that will be continue for the rest of our lives.

I want to thank my PhD colleagues of automation and systems engineering from UFSC, thanks for the friendship and companionship, as well as for the discussions that have supported the construction of this thesis.

A special thank is devoted to Eduardo Tovar and David Pereira, my internship advisors from Cister in Oporto city Portugal. Thank you for supporting me during this period, especially for the discussions that contributed enormously to my thesis. I want to say thank you to my Portuguese friend Claudio Maia, who worked with me on Cister, thank you for the all that you have done. During the internship I also made some Brazilian friends, especially Marcel Bueno and Jo˜ao Rogano, who I would like to thank for the support, friendship and for making this period far from home easier.

I would like to thank the postgraduate program in automation engineering and systems (PPGEAS) from UFSC, and the Brazilian research agencies CAPES and CNPq for their support and financial contribution to the accomplishment of this work.

great disposition throughout my thesis. I appreciate all you have made for me.

Finally, I want to thank all those who have contributed in some way to making this research possible.

turned skyward, for there you have been, and there you will always long to return. Leonardo da Vinci

O projeto de sistemas ciberf´ısicos (CPS) ´e considerado uma atividade complexa, sendo composto por diferentes fases, essenciais para sua concep¸c˜ao. Neste sentido, a defini¸c˜ao detalhada das fases de projeto se faz necess´aria, visando facilitar o projeto das aplica¸c˜oes e auxiliar na representa¸c˜ao das suas caracter´ısticas. Algumas dessas fases tˆem ampla discuss˜ao por parte da comunidade da engenharia, tais como o desenvolvimento dos sistemas de controle, por exemplo. Outras, no entanto, tˆem um menor grau de detalhamento, ou seja, as atividades que devem ser desenvolvidas n˜ao s˜ao amplamente discutidas ou detalhadas, dificultando a sua aplica¸c˜ao. Dentre estas temos a especifica¸c˜ao dos subsistemas de sensoriamento e atua¸c˜ao, integra¸c˜ao de processos de verifica¸c˜ao formal, entre outras. Essas etapas, apesar de menos discutidas, tamb´em s˜ao essenciais no escopo do desenvolvimento dos CPS, pois suportam a especifica¸c˜ao e valida¸c˜ao de propriedades das aplica¸c˜oes, assim como s˜ao respons´aveis pela integra¸c˜ao da aplica¸c˜ao com o ambiente de atua¸c˜ao. No projeto dos CPS, um n´umero consider´avel de m´etodos de desenvolvimento est´a dispon´ıvel na literatura, visando guiar os desenvolvedores nas tarefas de modelagem, por´em eles n˜ao apresentam adequado n´ıvel de detalhamento para as atividades supracitadas. Nesse contexto, este trabalho prop˜oe o desenvolvimento de um m´etodo integrado que auxilie no processo de modelagem e integra¸c˜ao dos CPS, mais especificamente dos Ve´ıculos A´ereos N˜ao Tripulados (VANTs). O m´etodo proposto busca integrar os processos de modelagem funcional, de arquitetura, integra¸c˜ao de sensores e atuadores e verifica¸c˜ao formal, contribuindo no projeto do sistema embarcado, bem como na interface com o conjunto de sensores e atuadores, culminando, consequentemente, na constru¸c˜ao das aplica¸c˜oes. O m´etodo proposto ´e baseado na engenharia dirigida a modelos (MDE) e sua abordagem busca permitir a constru¸c˜ao automatizada dos modelos, garantindo a manuten¸c˜ao das caracter´ısticas da aplica¸c˜ao durante todo o processo de desenvolvimento, permitindo a integra¸c˜ao dos modelos gerados e auxiliando na valida¸c˜ao das propriedades do sistema. Aliadas ao m´etodo proposto, duas ferramentas foram desenvolvidas, denominadas ECPSModeling e ECPSVerifier. Estas tˆem por objetivo dar suporte ao processo de desenvolvimento. O ECPSModeling opera na transforma¸c˜ao do modelo funcional para o modelo de

do sistema, transformando o modelo de arquitetura em um modelo de comportamento representado por autˆomatos temporizados, permitindo a aplica¸c˜ao da t´ecnica de verifica¸c˜ao formal model checking. Visando detalhar o m´etodo proposto e as ferramentas desenvolvidas, esses s˜ao aplicados ao projeto de um VANT birotor na configura¸c˜ao Tilt-rotor. Dessa forma, objetiva-se municiar o processo de desenvolvimento dos CPS, em especial dos VANTs, descrevendo suas principais fases de desenvolvimento.

Palavras-chave: Projeto de CPS, VANT, Engenharia dirigida por modelos, Transforma¸c˜ao de Modelos

Introdu¸c˜ao

Os sistemas ciberf´ısicos (CPSs) s˜ao descritos como aplica¸c˜oes caracterizadas pela intensa intera¸c˜ao com o ambiente em que est˜ao inseridas. Os CPS s˜ao definidos como sistemas complexos, tipicamente aplicados ao controle de dispositivos eletromecˆanicos. No ambiente dos CPS plataformas embarcadas e monitores em rede s˜ao utilizados visando o controle de processos f´ısicos, geralmente com o uso de loops de retroalimenta¸c˜ao onde os processos f´ısicos e computacionais afetam um ao outro (LEE; SESHIA, 2015;ALUR, 2015).

O projeto de CPS, especialmente dos ve´ıculos a´ereos n˜ao tripulados (UAV), ´e considerado um processo gradual composto por um conjunto de etapas que visam detalhar as caracter´ısticas da aplica¸c˜ao e validar a informa¸c˜ao fornecida por meio de simula¸c˜oes e an´alises (LEE; SESHIA, 2015;JENSEN; CHANG; LEE, 2011a;BECKER et al., 2010). Devido a esta caracter´ıstica seu processo de desenvolvimento requer uma maior aten¸c˜ao durante a fase de concep¸c˜ao, de forma a gerar um produto que atenda aos requisitos de projeto (MARWEDEL, 2010).

Neste sentido, o projeto de CPS ´e considerado uma atividade complexa, sendo composta por diferentes fases essenciais para sua concep¸c˜ao. Considerando a complexidade associada ao desenvolvimento destes projetos a defini¸c˜ao detalhada de suas fases se faz necess´aria, auxiliando no projeto e constru¸c˜ao das aplica¸c˜oes.

Considerando o processo de desenvolvimento dos UAVs, alguns desafios s˜ao observados, descrevendo o desenvolvimento do sistema de controle, a especifica¸c˜ao e integra¸c˜ao do seu conjunto de dispositivos e a avalia¸c˜ao e valida¸c˜ao de suas propriedades. Considerando o projeto do sistema de controle, este ´e descrito como um processo complexo que exige o desenvolvimento de algoritmos sofisticados. A especifica¸c˜ao e integra¸c˜ao do conjunto de dispositivos `a aplica¸c˜ao CPS tamb´em ´e descrita como uma tarefa n˜ao trivial, sendo necess´ario a avalia¸c˜ao de diferentes caracter´ısticas, assim como, a defini¸c˜ao da plataforma embarcada para integra¸c˜ao destes componentes tamb´em ´e um desafio. O projeto dos UAVs requer um alto grau de confian¸ca quanto a valida¸c˜ao de suas propriedades, sendo este processo muitas vezes realizado somente por meio de simula¸c˜oes, atividade esta que n˜ao ´e suficiente para garantir a avalia¸c˜ao e valida¸c˜ao da aplica¸c˜ao, sendo necess´ario o uso de t´ecnicas adicionais associadas ao projeto das

de desenvolvimento aplicados a CPS descritos na literatura ´e observado que algumas destas fases s˜ao mais discutidas do que outras. Neste sentido, ´e verificado que alguns pontos do processo de desenvolvimento n˜ao s˜ao suficientemente detalhados, gerando d´uvidas aos times de projeto. Da mesma forma, apesar de muitas das propostas considerar como base a engenharia dirigida por modelos (MDE), tamb´em ´e observado que n˜ao h´a grande integra¸c˜ao entre as diferentes representa¸c˜oes de projeto geradas, dificultando a manuten¸c˜ao das informa¸c˜oes durante o desenvolvimento do projeto.

Objetivo

Esta tese tem como objetivo prover contribui¸c˜oes para o processo de desenvolvimento de CPS, permitindo a especifica¸c˜ao das propriedades dos subsistemas, a integra¸c˜ao dos dispositivos e o suporte para avalia¸c˜ao e valida¸c˜ao de propriedades por meio do uso de t´ecnicas de verifica¸c˜ao formal. As contribui¸c˜oes apresentadas ser˜ao aplicadas principalmente ao processo de desenvolvimento de Ve´ıculos A´ereos N˜ao tripulados.

Metodologia

A metodologia utilizada para o desenvolvimento desta tese se baseia em trˆes componentes principais: (i) metodol´ogicos, (ii) modelagem do conjunto de sensoriamento e atua¸c˜ao, e (iii) verifica¸c˜ao formal.

Considerando (i) uma proposta de m´etodo de desenvolvimento aplicada a UAVs foi desenvolvida, buscando sistematizar o processo de desenvolvimento e detalhar tanto as etapas espec´ıficas do projeto de UAVs, quanto atividades de gerenciamento de projeto. Desta forma, se busca guiar o processo de projeto da sua concep¸c˜ao `a valida¸c˜ao pelo cliente. O m´etodo proposto ´e baseado na MDE e prevˆe a constru¸c˜ao de representa¸c˜oes complementares para mapeamento das caracter´ısticas da aplica¸c˜ao. A constru¸c˜ao de alguns destes modelos ´e automatizada pela aplica¸c˜ao de processos de transforma¸c˜ao de modelos, permitindo a gera¸c˜ao de novas representa¸c˜oes com base em seus dados de entrada. O Item ii prop˜oe contribui¸c˜oes aplicadas ao processo de modelagem do conjunto de sensoriamento e atua¸c˜ao das aplica¸c˜oes. Neste sentido a extens˜ao de um processo de transforma¸c˜ao de modelos foi proposta. Neste processo, modelos funcionais (Simulink) s˜ao

sistema, assim como permitir a especifica¸c˜ao do conjunto de sensores e atuadores durante o processo de transforma¸c˜ao, etapa anteriormente n˜ao coberta pelo processo de transforma¸c˜ao original, foi desenvolvida como extens˜ao do processo de transforma¸c˜ao proposto, permitindo aos desenvolvedores a especifica¸c˜ao das caracter´ısticas de sensores e atuadores, assim como a defini¸c˜ao de fun¸c˜oes e tarefas respons´aveis por prover a interface com os dispositivos.

Visando integrar t´ecnicas de verifica¸c˜ao formal ao processo de desenvolvimento de UAV (Item iii), um segundo processo de transforma¸c˜ao de modelos foi proposto. Neste caracter´ısticas s˜ao integradas ao modelo de arquitetura AADL, permitindo extra¸c˜ao do comportamento do sistema representado por meio de autˆomatos temporizados, os quais ser˜ao utilizados como base para o processo de avalia¸c˜ao e valida¸c˜ao do sistema por meio do uso do Model Checking na ferramenta UPPAAL.

Resultados e Discuss˜ao

Os resultados apresentados nesta tese de doutorado s˜ao divididos em conformidade com os trˆes componentes principais da tese mencionados anteriormente. Sobre o primeiro, o Cap´ıtulo 4 desta tese apresenta o desenvolvimento do m´etodo aplicado ao projeto de UAVs, bem como a sua valida¸c˜ao com o desenvolvimento de um UAV bi-rotor de configura¸c˜ao tilt-rotor aplicado a miss˜oes de busca e resgate. Os resultados apresentados mostram que o m´etodo proposto busca detalhar n˜ao s´o as atividades t´ecnicas, relacionadas ao projeto do UAV, como tamb´em descreve atividades gerenciais de projeto, al´em disso dois processo de transforma¸c˜ao de modelos s˜ao associados ao m´etodo proposto descrevendo suporte `a gera¸c˜ao de modelos e contribuindo para o aumento na integra¸c˜ao destas representa¸c˜oes e a manuten¸c˜ao da informa¸c˜ao de projeto durante todas as fases de desenvolvimento.

Referente ao segundo componente, o Cap´ıtulo 5 desta tese apresenta a extens˜ao de um processo de transforma¸c˜ao pre-existente (de modelo funcional Simulink para modelo de arquitetura AADL). Neste uma etapa intermedi´aria de processamento foi adicionada visando dar suporte a an´alise e especifica¸c˜ao dos subsistemas de sensoriamento e atua¸c˜ao, processo este que era considerado como uma etapa a ser realizada posteriormente na proposta de transforma¸c˜ao original. Para dar suporte ao processo de transforma¸c˜ao a ferramenta ECPS Modeling foi desenvolvida auxiliando na representa¸c˜ao e organiza¸c˜ao

permitindo a gera¸c˜ao de um modelo de arquitetura que integra o sistema de controle ao seu conjunto de sensores e atuadores. Visando a valida¸c˜ao do processo desenvolvido a ferramenta foi aplicada ao projeto de um UAV detalhando as etapas aplicadas bem como o modelo de sa´ıda gerado.

Considerando a integra¸c˜ao do processo de verifica¸c˜ao formal (terceiro componente), o Cap´ıtulo 6 descreve o desenvolvimento do processo de transforma¸c˜ao do modelo de arquitetura AADL em autˆomatos temporizados. Esses s˜ao submetidos ao processo de verifica¸c˜ao formal por meio do uso da t´ecnica Model Checking na ferramenta UPPAAL. Esse processo tem suporte da ferramenta ECPS Verifier, desenvolvida no escopo desta tese para permitir a transforma¸c˜ao automatizada dos modelos. Os resultados obtidos demonstram que com o refinamento aplicado ao modelo de arquitetura AADL se faz poss´ıvel extrair o comportamento da aplica¸c˜ao, permitindo a avalia¸c˜ao e valida¸c˜ao das propriedades do sistema. A ferramenta desenvolvida foi aplicada ao processo de desenvolvimento de um UAV para detalhamento e valida¸c˜ao das suas propriedades. Considera¸c˜oes Finais

Neste tese contribui¸c˜oes foram apresentadas visando aprimorar o processo de desenvolvimento dos CPS, em especial dos UAVs. Essas foram propostas ap´os uma extensiva an´alise de diferentes m´etodos para projeto de CPS, considerando as caracter´ısticas requeridas no projeto de UAVs. Estudos foram realizados para avaliar a integra¸c˜ao do conjunto de dispositivos do sistema nestas aplica¸c˜oes. A aplica¸c˜ao de m´etodos de verifica¸c˜ao formal a esse processo tamb´em foi avaliada. Com base nos estudos realizados trˆes contribui¸c˜oes foram propostas, com objetivo de prover um maior detalhamento de fases n˜ao t˜ao amplamente discutidas no projeto de UAVs, descrevendo o m´etodo de projeto aplicado a UAVs e dois processos de transforma¸c˜ao de modelos que visam dar suporte ao m´etodo proposto.

Em resumo esta tese descreve uma solu¸c˜ao integrada aplicada ao projeto de UAVs detalhando suas fases e atividades. Esse m´etodo ´e complementado por meio de dois processos de transforma¸c˜ao de modelos que permitem a integra¸c˜ao das caracter´ısticas dos dispositivos do sistema e a avalia¸c˜ao e valida¸c˜ao das propriedades por meio do uso da verifica¸c˜ao formal. O m´etodo proposto foi aplicado ao projeto de um UAV tilt-rotor UAV. Os resultados obtidos demonstram que

um maior detalhamento das informa¸c˜oes. Por meio do uso dos processos de transforma¸c˜ao se busca reduzir o tempo de projeto e contribuir para tornar o processo menos propenso a erros.

Palavras-chave: Projeto de CPS, VANT, Engenharia dirigida por modelos, Transforma¸c˜ao de Modelos

The design of a Cyber-Physical System (CPS) is defined as a complex activity, being composed of a set of design phases devoted to model application characteristics. In this sense, detailing the phase characteristics is required in order to help the design teams during the project design, and to aim the support of the correct application characteristics representation. However, despite some of these phases, such as the control systems design, being discussed at length by the engineering community, other phases have less detailed studies, i.e., the design activities that compose these phases are not so well documented. In these sense, it is required more experience from the design teams to perform activities such as, the sensing and actuation subsystems representation, and the integration of formal verification methods on the design process, among others. Despite the lack of information related to them, these phases are essential to the CPS design, by the fact that they support application characteristics representation and the properties validation, as well as, they also provide the integration between designed system and their environment. Regarding the CPS design process, different methods are available in the literature, aiming to guide the designers to perform the modeling tasks. However, these approaches do not provide enough information related to those described activities. In this context, this thesis proposes an integrated method applied to CPS design, more specifically devoted to the Unmanned Aerial Vehicles (UAV) design. That proposed method aims to integrate different modeling processes such as functional, architectural, sensor and actuator integrations, and formal verification design processes. Based on the proposed activities this method aims to support the UAV embedded system design, and allow the integration between the embedded platform and the set of system devices. The Model Driven Engineering (MDE) is used as basis to the proposed approach, and aims to support the automated model generation based on the application characteristics. It is intended to ensure the maintainability of the system information over all the design steps and provide the property evaluation and validation, considering the model transformation principles. Two different tools are designed with the proposed method, the ECPSModeling and the ECPSVerifier, for supporting the design activities. The ECPSModeling provides the transformation process from functional model to architectural model,

based on the architectural model, by using timed automatas, which allows the formal verification evaluation by performing model checking. The proposed method and the designed tools are applied on the project of a tilt-rotor UAV design. The details of the method proposed in this thesis are demonstrated by performing the UAV project, described as a case study.

Keywords: CPS design process, UAV, Model Driven Engineering, Models transformation

Figure 1 Concept of CPS. . . 1 Figure 2 UAV architectural representation. . . 3 Figure 3 Model Transformation Overview . . . 15 Figure 4 AADL Components. . . 21 Figure 5 Relations between AADL components. . . 22 Figure 6 UAV design method workflow . . . 59 Figure 7 Rapid Intervention Vehicle. . . 70 Figure 8 VTOL-CP physical model. . . 73 Figure 9 VTOL-CP UAV architecture. . . 74 Figure 10 VTOL-CP UAV Functional Model. . . 74 Figure 11 High-level view of the UAV architecture. . . 75 Figure 12 High-view of UAV Architectural model. . . 76 Figure 13 Position estimation task behavior. . . 78 Figure 14 GPS behavior representation. . . 79 Figure 15 Main activities and artifacts of the method to develop CPS. . . 84 Figure 16 UAV Simulink model: first hierarchical level. . . 87 Figure 17 ECPSModeling process workflow. . . 88 Figure 18 ECPSModeling definition of mathematical block. . . 89 Figure 19 ECPSModeling analyzing the block inputs. . . 90 Figure 20 ECPSModeling pre=processing functions definition. . . 91 Figure 21 ECPSModeling actuators definition. . . 92 Figure 22 Define the actuation software structure. . . 93 Figure 23 ECPSModeling output analysis. . . 94 Figure 24 Define post-reading functions. . . 95 Figure 25 PositionEst function definition. . . 95 Figure 26 ECPSModeling sensor specification. . . 96 Figure 27 ECPSModeling sensing threads specification. . . 97 Figure 28 UAV model with sensing and actuation process.. . . 99 Figure 29 AADL representation of sensing and actuation process. 99 Figure 30 ECPS Verifier Top View. . . 103 Figure 31 ECPS Verifier Tasks Behavior and Interferences

Figure 33 AADL meta-model. . . 111 Figure 34 UPPAAL meta-model. . . 112 Figure 35 Scheduler model. . . 114 Figure 36 UAV Behavior model. . . 115 Figure 37 AADL design conventions. . . 117 Figure 38 UAV model with sensing and actuation process.. . . 118 Figure 39 AADL representation of sensing and actuation process. 119 Figure 40 Split of UAV model with a subset of devices. . . 120 Figure 41 AADL representation of position estimation components.120 Figure 42 GPS fault tree representation. . . 121 Figure 43 AADL GPS error representation. . . 121 Figure 44 AADL position thread behavior. . . 122 Figure 45 Position estimation task. . . 122 Figure 46 GPS template. . . 123 Figure 47 AADL position thread behavior. . . 124 Figure 48 Tasks template. . . 125 Figure 49 Evaluated UAV properties. . . 127 Figure 50 Obtained results of evaluated UAV properties. . . 128

Table 1 Evaluation of CPS design works. . . 36 Table 2 Evaluation of Integration of Sensors and Actuators . . . 44 Table 3 Evaluation of CPS Formal Verification . . . 50 Table 4 UAV control stability requisite . . . 72 Table 5 UAV load transportation requisite . . . 73

CPS Cyber-Physical System IT Information Technology UAV Unmanned Aerial Vehicle MDE Model-Driven Engineering

CASE Computer-Aided Software Engineering AADL Architecture Analysis and Design Language AST Assisted Models Transformation

DSML Domain-Specific Modeling Languages QoS Quality of Service

M2M Model to Model M2C Model to Codel

OMG Object Management Group MDA Model Driven Architecture PIM Platform-Independent Models PSM Platform-Specif Model EMF Eclipse Modeling Framework XML eXtensible Markup Language UML Unified Modeling Language MoC Model of Computation

SAE Society of Automotive Engineers SELT State/Event LTL model-checker TTS Timed Transition Systems RTOS Real-Time Operating System

PM Platform Model

CERBERO Cross-layer modEl-based fRamework for multi-oBjective dEsign of Reconfigurable systems in unceRtain hybRid envirOnments

MDD Model-Driven Design FR Functional Requirements NFR Non-Functional Requirements VTA Vistual Target Architecture TSAM Timed Abstract State Machines

VTOL-CP Vertical Take-Off and Landing Convertible Plane UFSC Federal University of Santa Catarina

UFMG Federal University of Minas Gerais SAR Search and Rescue

IMU Inertial Measurement Unit GPS Global Position System ESC Electronic Speed Controller

EA AADL Error Annex

1 INTRODUCTION . . . 1 1.1 MOTIVATION . . . 5 1.2 OBJECTIVES . . . 7 1.3 OUTLINE . . . 8 1.4 LIST OF PUBLICATIONS . . . 9

2 CONCEPTS, TECHNOLOGIES AND

TECHNIQUES . . . 11 2.1 MODEL-DRIVEN ENGINEERING . . . 11 2.1.1 Models and Metamodels . . . 13 2.1.2 Model Transformation . . . 15 2.2 TOOLS AND LANGUAGES APPLIED TO CPS DESIGN 16 2.2.1 MATLAB/Simulink . . . 18 2.2.2 Architectural Analysis Design Language - AADL . . 20 2.2.3 OSATE 2 . . . 23 2.2.4 Formal Verification . . . 24 2.2.5 Model Checking . . . 26 2.2.6 UPPAAL . . . 28 2.3 SUMMARY . . . 30 3 STATE OF THE ART . . . 31 3.1 RELATED WORKS EVALUATION CRITERIA . . . 31 3.1.1 Criteria for CPS Design Methods . . . 32 3.1.2 Criteria for Integration of Sensors and Actuators . 32 3.1.3 Criteria for Formal Verification . . . 33 3.2 CYBER-PHYSICAL SYSTEMS DESIGN METHODS . . . 34 3.2.1 Overview . . . 34 3.2.2 Evaluation and Discussion . . . 36 3.3 INTEGRATION OF SENSORS AND ACTUATORS . . . . 42 3.3.1 Overview . . . 42 3.3.2 Evaluation and Discussion . . . 43 3.4 FORMAL VERIFICATION ON CPS DESIGN . . . 48 3.4.1 Overview . . . 48 3.4.2 Evaluation and Discussion . . . 49 3.5 SUMMARY AND ADDITIONAL REMARKS . . . 54

4 DESIGN METHOD FOR UNMANNED

AERIAL VEHICLES . . . 57 4.1 PROPOSED APPROACH . . . 58 4.1.1 Design Activities . . . 58

4.3 SUMMARY . . . 80

5 SENSING AND ACTUATION SUBSYSTEMS

DESIGN . . . 83 5.1 RESEARCH CONTEXTUALIZATION . . . 84 5.2 PROPOSED APPROACH AND RELATED DESIGN

ACTIVITIES . . . 85 5.2.1 Case Study . . . 86 5.2.2 Design Activities . . . 87 5.2.3 Output Model Generated by the Tool . . . 98 5.3 SUMMARY . . . 99

6 INTEGRATING FORMAL VERIFICATION

INTO THE UAV DESIGN . . . 101

6.1 FORMAL VERIFICATION OF AADL

ARCHITECTURAL MODELS . . . 102 6.1.1 Phase 1: Evaluation of Tasks and Interferences . . . . 104 6.1.2 Phase 2: Schedulability Analysis . . . 106 6.1.3 Final Remarks . . . 108 6.2 MODEL TRANSFORMATION TOOL ECPS VERIFIER 110 6.2.1 Related Metamodels . . . 110 6.2.2 Transformation Process . . . 110 6.2.3 Auxiliary Components . . . 113

6.3 DESIGN OF SENSING AND ACTUATION

SUBSYSTEMS OF AN UAV . . . 118 6.3.1 Evaluation of tasks behavior and interferences . . . . 119 6.3.2 Schedulability Analysis . . . 123 6.4 UAV PROPERTIES EVALUATION . . . 125 6.5 SUMMARY . . . 128 7 CONCLUSIONS . . . 131 7.1 FUTURE WORKS . . . 133 Bibliography . . . 135

1 INTRODUCTION

Cyber-Physical Systems (CPSs) are applications characterized for performing intensive interaction with the surrounding environment. CPSs consist of complex systems typically applied to control electro-mechanical devices. In the CPS environment embedded computers and network monitors are applied to control the physical processes, usually with feedback loops where physical and computational processes affect each other. (LEE; SESHIA, 2015; ALUR, 2015).

Analyzing the CPS structure at least three main components are observed in this sketch (Fig. 1). The first describes the physical plant, defining the CPS “physical” part. The physical plant represent the components that are not executed by computers or digital networks, and it can include mechanical parts, biological or chemical processes, or human operators. The second part relates to computational platforms, which consist in a set of devices coupled with computers, and one or more operating systems. The third defines the communication interfaces, which provides the mechanisms for information exchange. In this sense, the platforms and the network interface provide the “cyber” part of the cyber-physical system(ALUR, 2015).

Regarding the 20th century Information Technology(IT) revolution, the CPS popularization was increased by the technological evolution, that provided components with higher processing power and more energy efficiency. In the same way, the communication protocols and the network infrastructure has evolved, allowing more interaction and information exchange. However, despite this evolution the CPS design requires understanding the joint dynamics of computers, software, networks, and physical processes. In this sense, this design process is considered a multidisciplinary task, which involves different teams working in a collaborative way to properly address the application features (DERLER; LEE; VINCENTELLI, 2012).

Over the last years the CPS has been applied to different environments, requiring particular levels of reliability and safety according the problem domains. These domains include robotic manufacturing systems; electric power generation and distribution; process control in chemical factories; distributed computer games; transport of manufactured products; heating, cooling, and lighting into smart buildings; people movers such as elevators; bridges that monitor their own state of health; the automotive industry; and aerospace applications (LEE, 2008).

Regarding the aerospace environment, different applications have been designed over the CPS scope such as satellites, spacecrafts, and Unmanned Aerial Vehicles (UAVs). In relation to UAVs its observed that the use of these aircrafts has grown tremendously in recent years, mainly due to technological innovation in fields like control design, estimators, and system components (PAPACHRISTOS et al., 2011).

Initially, the UAVs were widely used in military applications, due to their flexibility to integrate into different environments and their ability to be remotely operated and transmit information in real-time, being applied into surveillance, and reconnaissance mission for example (KEANE; CARR, 2013). However, the UAVs also began to be used in civilian applications, promoting much research. These vehicles have shown potential for missions such as remote sensing, cargo transportation, search and rescue, precision agriculture, border monitoring, among others (COSTA et al., 2012; NAIDOO; STOPFORTH; BRIGHT, 2011;PING et al., 2012).

Evaluating the different UAV characteristics and configurations, it is possible to identify two big UAV groups of architectures in the literature: fixed wing and rotary wing. The fixed wing aircrafts are characterized by high autonomy and high speed (Fig. 2a); on the other

hand, rotary wings (namely helicopters), have as main characteristic the good maneuverability (Fig. 2b).

Despite these defined groups another UAV category has emerged, describing the Tilt-rotor aircraft, which is an aerial vehicle whose design is between both these two architectures, propelled by two tiltable rotors. One of the most notable aircraft is the Bell-Boeing V-22 Osprey, which is used by US military to perform several kinds of missions such as troops or military equipments transportation, as shown in Fig. 2c. Nowadays other Tilt-rotor UAVs has been developed such as, TR918 Eagle Eye shown in Fig. 2d, whose construction began in 1993 with its final version being released in 1998. This was designed and built for Bell by the research company Scaled Composites.

Figure 2 – UAV architectural representation. (a) Ebee - fixed wing UAV.

Source: SenseFly (2018).

(b) TURAC - rotatory wings UAV.

Source: Cai et al. (2008).

(c) Bell-Boeing V-22 Osprey. (d) Bell Eagle Eye TiltRotor UAV.

Source: UAVGLOBAL (2008).

Regarding the UAV design process, considerable challenges are observed to provide such system work. First, controlling the vehicle is not trivial task and sophisticated control algorithms are required.

Secondly, specifying and integrating the set of required devices into the CPS application is not a trivial task, and several characteristics need to be evaluated, as well as the definition of the embedded platform to integrate these components is also a challenge. Thirdly, the vehicle needs to operate in a context, interacting with its environment. It might, for example, be under the continuous control of a watchful human who operates it by remote control. Or it might be expected to operate autonomously, to take off, performing a mission then returning and landing.

Providing the autonomous operation is enormously complex and challenging, because it cannot benefit from the watchful human. The autonomous operation demands more sophisticated sensors, the vehicle needs to keep track of where it is, requires that the aircraft senses the obstacles, and it needs to know where the ground is. These vehicles also needs to continuously monitor their own health, in order to detect malfunctions and react to them so as to contain the damage. It requires detailed modeling of the environment dynamics, and a clear understanding of the interaction between these dynamics and the embedded system.

In this context, different CPS methods are proposed nowadays, aiming to provide a guideline to the design teams to build these applications. Some of these methods are based on Model-Driven Engineering (MDE) (SCHMIDT, 2006) in order to support the capture and representation of CPS characteristics. By performing MDE principles, complementary models can be created and different system dimensions represented (BECKER et al., 2010; JENSEN; CHANG; LEE, 2011b;DERLER; LEE; VINCENTELLI, 2012).

An MDE characteristic propose the use of model transformation aiming to automate the design tasks. Theses processes are applied to provide the automated models generation, where based on a source model, a target complementary model can be generated, as well as the application code derived.

Despite the different CPS methods proposed, and considering the UAV design complexity, at least three difficulties are observed on theses processes. The first describes that some design steps are more discussed than others, such as the control systems design, being discussed at length by the engineering community, while sensing and actuation subsystems design less detailed studies.

The second problem is related to the weak integration between the project phases and the tools support. This problem is caused by the difficulty of providing the model mapping, making it difficult

to maintain any information during the design process. Similarly, tools and methods sometimes do not provide enough characteristic representation for the UAV design process needs, requiring that manual work be performed by the development team, which can be subject to project errors.

Integration of formal verification methods applied to validate the UAV project properties is observed as a third difficulty. Some methodologies do not integrate these techniques into their approaches. In this way, the validation process of application properties becomes difficult and not precise, often this validation is based on project team experience.

1.1 MOTIVATION

Design CPS applications, specially UAVs, is considered a gradual process composed by a set of steps that detail the application characteristics and validate the provided information by performing simulations and analysis (LEE; SESHIA, 2015; JENSEN; CHANG; LEE, 2011a; BECKER et al., 2010). Due to this process complexity, the application design requires a higher carefully during its conception, in order to provide a product that fulfill its requirements (MARWEDEL, 2010).

Computer-Aided Software Engineering (CASE) tools based on functional characteristics and that support simulations are typically used to represent the CPS behavior (functional representation) (LEE; SESHIA, 2015) such as the Ptolemy (BERKELEY, 1999) and the Simulink (MATHWORKS, 2018). However, beside they provide support to generate application code, they do not present enough support to represent architectural aspects (GONCALVES et al., 2013b).

Represent the architectural characteristics of CPS application is required independently of the applied approach. These aspects usually are described by creating an architectural model, describing the integration between software and hardware components.

To provide the architectural properties representation languages are applied to properly describe these characteristics. An example of these languages is defined as Architecture Analysis and Design Language (AADL) (FEILER; GLUCH; HUDAK, 2006), that have been extensively applied on critical embedded systems design (ZHAO; MA, 2010). Based on the language properties, application characteristics can be evaluated, such as temporal characteristics (scheduling and flow

latency), and physical properties (weight, power consumption) (FEILER; GLUCH, 2012).

Perform formal verification methods to evaluate and validate the system properties is cited by different authors as essential to ensure the CPS properties validation (CORREA et al., 2010;MOON, 1994). In this sense, regarding the UAV complexity this technique is described as essential to ensure that the designed application fulfills its restrictions and can perform the missions. The properties validation is performed confronting the system description and its specifications, validating the system properties (ONEM; GURDAG; CAGLAYAN, 2008). Synchronous languages can be applied to evaluate these properties. Based on these representations characteristics such as liveness, invariance, and reachability can be evaluated (INRIA, 2012).

Another point observed in different approaches regards the fact that despite built different models to represent the application properties, these representations do not have much integration between themselves, i.e. most of these models are manually built. This fact requires that designers put additional effort into representing the application characteristics either for the transition between models or to provide the application code.

This additional effort applied to the design process, usually performed by the design teams in manual tasks and does not ensure the models mapping, by the fact that these characteristics are only based on the design team experience. In addition, performing manual tasks makes it difficult to provide project maintenance, as well as making the project more prone to errors.

Based on the presented information some challenges are verified in the CPS project, for example the integration between the generated models, definition of the set of sensor and actuator and representation of its properties, the integration of the system devices with the embedded platform, and the integration of the formal verification methods during the design phase. These topics are seen as essential to provide the integration between the designed application and the real world. However, a desired integration level between the design steps is not observed, furthermore some activities are less discussed than others.

Regarding the models integration and aim to automate the generation of these representations, techniques that perform model transformation processes can be applied to support the generation of the application models. The Assisted Models Transformation (AST) (PASSARINI, 2014) can be cited as one transformation technique that aims to generate the architectural software representation based on the

functional model.

The AST main objective regards the translation of the control subsystem to the architectural model, leaving other features that are also essential to the application such as, the sensing and actuation subsystems. The AST considers that the integration of these subsystems is an external activity of the transformation process, and its designers responsibility to perform it.

Due to the fact that the CPS design process is composed of a set of phases and that these steps are not properly integrated, performs the CPS design is considered as a complex activity, as well as, maintain these applications is not an easy task. In this sense it is observed that the existing approaches are lacking and do not properly guide the design team. Similarly, the design processes do not properly provide a means for integration of generated models, validation of systems properties or integration of the set of system devices. This characteristics indicate that automating some of these design steps can contribute to the CPS design process especially in relation to UAV design.

1.2 OBJECTIVES

The main objective of this PhD Thesis is to provide contributions to the CPS design process, allowing the subsystems specification, integration of system devices, and support for property evaluation by using formal verification. These contributions are especially applied for design of Unmanned Aerial Vehicles.

In order to achieve the main objective, some specific objectives are defined as follows:

1. Study the existent CPS design methods identifying their deficiencies, especially related to UAV design.

2. Propose a design method applied to UAV systems design, providing a teams guideline and systematizing the process activities.

3. Explore the system devices integration in the CPS design process. 4. Provide contributions to integrate device’s characteristics in the

design process.

5. Investigate the formal verification methods integration on the CPS design process, providing the system properties evaluation and validation.

6. Design tools to support models transformation processes, contributing to device’s characteristics integration and to perform the systems formal evaluation.

1.3 OUTLINE

In this introductory chapter, the problem of design CPS, especially UAVs, supported by the tools usage to automate some activities was introduced and motivated. The next chapters are organized as follows:

• Chapter 2 presents the concepts and techniques related to the topic that compose this dissertation such as MDE, model transformation, modeling languages, among others.

• Chapter 3 provides a survey of the CPS design state of the art, analyzing several related works. Firstly, different CPS design methods are presented. Secondly, a set of approaches that propose the integration of sensors and actuators in the CPS design process are detailed. Thirdly, works that describe the integration of formal verification methods are presented. Finally, a discussion related to these topics is presented.

• Chapter 4 shows the proposed CPS design method, devoted to built UAV application. The proposed approach describe a set of activities aiming to guide the design teams to the applications construction. A Tilt-rotor UAV design process is presented to steps taken throughout the proposed method.

• Chapter 5 introduces the integration of the sensor and actuator properties on the CPS design process. This process is supported by the ECPS Modeling tool, that performs the transformation from Simulink model to AADL model, integrating the components characteristics. A case study was presented to detail the transformation process.

• Chapter 6 presents the integration of formal verification methods in the CPS design process. In this way, a transformation process is performed from AADL models to UPPAAL timed automata, in order to support the system properties evaluation. This approach is supported by a tool named ECPS Verifier, and detailed evaluating a Tilt-rotor UAV.

• Chapter 7 summarizes the contributions and results presented in this thesis and suggests possible future research lines.

1.4 LIST OF PUBLICATIONS

The following papers were published along this PhD:

• GONC¸ ALVES, F. S.; BECKER, L. B. Preparing cyber-physical systems functional models for implementation. In: V Brasilian Symposium on Computing System Engineering (SBESC 2015). Foz do Igua¸cu - PR: [s.n.], 2015.

• GONC¸ ALVES, F. S. et al. Vant autˆonomo capaz de comunicar com uma rede de sensores sem fio. In: X Congresso Brasileiro de Agroinform´atica (SBIAGRO 2015). Ponta Grossa - PR: [s.n.], 2015.

• GONC¸ ALVES, F. S.; BECKER, L. B.; RAFFO, G. V. Managing CPS complexity: Design method for Unmanned Aerial Vehicles. In: 2016 1st IFAC Conference on Cyber-Physical & Human-Systems. [S.l.: s.n.], 2016.

• GONC¸ ALVES, F. S.; BECKER, L. B. Model driven engineering approach to design sensing and actuation subsystems. In: 2016 IEEE 21st International Conference on Emerging Technologies and Factory Automation (ETFA). [S.l.: s.n.], 2016. p. 1–8.

• GONC¸ ALVES, F. S. et al. Formal verification of aadl models using uppaal. In: VII Brazilian Symposium on Computing Systems Engineering (SBESC 2017). Curitiba - PR: [s.n.], 2017.

2 CONCEPTS, TECHNOLOGIES AND TECHNIQUES Represent the CPS application characteristics in order to correctly describe its properties is defined as one of the CPS design challenges, especially when the UAV systems design is considered. This complexity is inherent of this applications environment, as well as on the required guarantees that can be applied to these systems (LEE; SESHIA, 2015). This process is composed of a set of phases, aiming to detail the application characteristics. In this sense, aiming to support the design activities, different tools and techniques may be applied (JENSEN; CHANG; LEE, 2011b; BECKER et al., 2010).

Aiming to improve the model characteristics and make the designers work less prone to errors, different technologies may be applied into the UAV design. In this context, techniques, modeling languages, and tools are applied to these design processes are presented in this chapter.

2.1 MODEL-DRIVEN ENGINEERING

MDE (SCHMIDT, 2006) the method applied to capture and represent systems characteristics. By the MDE usage complementary models may be created, representing different system viewpoints such as, the physical representation, the control system, the architectural structure, the functional representation, the electrical components, among others.

This technique is focused on representing the application characteristics by model construction. Different to the traditional approaches, MDE is not centered on codding but instead defining the specification of the system characteristics before writing the application code (ALANEN et al., 2004; SCHMIDT, 2006). MDE was proposed by Stuart Kent (KENT, 2002) as an approach that describes the application design, analysis, and representation.

The design of complementary models applied to represent the system characteristics is proposed by MDE, and based on this characteristic different viewpoints are created. In addition to the model design, the MDE support the automated code generation process, where based on the designed models, the software structure, to be applied to the target platform, can be extracted (ALANEN et al., 2004). During the evolutionary CPS design process, different models

are generated, providing more project information, and increasing the team’s productivity. However, these structures need to be integrated in order to compose the CPS application. By the use of MDE standards, the model representation should be reused, simplifying the design process. The MDE aims to face the platform’s complexity as well as the inability of the third generation languages to effectively express the domain application concepts. The MDE introduce technologies that incorporate (SCHMIDT, 2006):

• Domain-Specific Modeling Languages (DSML): Languages that support the definition of an application’s structure, system behavior, and domain characteristics. By using these languages, properties are defined based on meta-models, that represent the relation between domain concepts, which furthermore express the model semantic associated with its restrictions;

• Transformation engines and generators: That analyze the model aspects and synthesize different artifacts, such as source code, alternative model representations, among others. The synthesis of these artifacts ensures consistency between application implementations and information analysis associated with functional analysis and Quality of Service (QoS)

requirements captured in the models.

This technique proposes model transformation processes, where based on an initial domain application model (defined as source-model), it is possible to generate different representations (defined as target-models), which should be in accordance with the source-model. The model transformation can be carried out in two ways, to generate new representations (Model to Model - M2M), or to provide application code (Model to Code - M2C).

An approach based on MDE was proposed by the Object Management Group (OMG) defining a standard to the platform independent applications design. This standard is defined as Model Driven Architecture (MDA), that is focused on the specification of system functionalities as an independent process detached from the specific platform implementation (OMG, 2003).

Methodologies based on MDA provide the application design by automated mapping processes, attaching the models to its implementations. By MDA usage the OMG aims to provide means by which designers can focus on application requirement definition without regard for implementation aspects of the target platform.

The MDA is based on a mapping concept, where the defined Platform-Independent Models (PIM) are mapped into the Platform-Specific Models (PSM) by the use of automated or semiautomated mechanisms to perform model transformation. The definition of PIM and PSM models is performed with the use of metamodels that describe the syntax, and operational semantic use of each modeling language(LOPES et al., 2006a).

Another MDE approach its defined as Eclipse Modeling Framework (EMF) that provides a framework to design and perform the application code generation based on structured data models (STEINBERG; BUDINSKY; MERKS, 2009). By the use of EMF its possible to build models and perform the java code generation, allowing the design, edition and storage of a designed model instance.

The EMF unify three technologies Java, XML1 and UML2 where independent of the design language the provided representation can be considered as a common model with properties of these three languages. These characteristics describe that defining an EMF transformation method this method should be applied to other technologies. The EMF framework has a metamodel that details the model’s characteristics, i.e., defines the structure to store the designed representations (ECLIPSE, 2004). The MDA and EMF are considered representative approaches of MDE, describing important concepts such as models, metamodels, and transformation processes (LOPES et al., 2006b).

2.1.1 Models and Metamodels

A model is described as a set of formal elements that represent a particular object of study, designed for a specific purpose, which can be evaluated by performing some kind of analysis (MELLOR et al., 2004; MELLOR; CLARK; FUTAGAMI, 2003). Models can also be defined as a real life simplified view (SELIC, 2003), or as a set of prepositions that describe characteristics of the studied objects (SEIDEWITZ, 2003). This representation is essential to the engineering being applied to represent complex problems to be solved, reducing the implementation time and cost of the complex solutions projects (SELIC, 2003).

The MDE makes use of programing and modeling languages, and based on these components models are generated during different

1_{eXtensible Markup Language} 2_{Unified Modeling Language}

project phases, providing not only the system documentation, but being part of its design. By this fact, models are considered as the main artifacts generated during the application project. In this sense, greater accuracy is required for the design of these representations, specifying the system characteristics, and considering them as part of the development process, i.e., these objects are used as a basis for the final solution, by performing transformation processes (MAIA, 2006).

The models can be created as descriptive or prescriptive representations (K ¨UHNE, 2006; HENDERSON-SELLERS, 2012). Descriptive models detail characteristics of an existing object, while prescriptive models (also named as specification models) represent the object to be implemented. The use of descriptive or prescriptive models is defined according the application context (SEIDEWITZ, 2003; HENDERSON-SELLERS, 2012). In software engineering, models usually represent pieces of the application domain while also defining software characteristics applied to this domain (HESSE, 2006).

A model is considered suitable only if evaluated in a simulation environment that behaves similarly to a real object. Due to the abstraction property (MDE characteristic), the models represent a set of relevant information related to the studied object, i.e., that describe the application subset aspects allowing for properties evaluation. In this sense, aiming to obtain a complete application view, the design process includes the use of multiple complementary models, describing the application characteristics(MELLOR; CLARK; FUTAGAMI, 2003).

Metamodels are created to provide model specification, these representations detail language expresiveness, i.e., specify the set of prepositions to guide the valid model construction (SEIDEWITZ, 2003; GAAEVIC et al., 2006). A model definition is based on its metamodel, that represents a metamodel instance. The model is considered in conformity with its metamodel only if it is syntactically correct, and meets the constraints imposed by the metamodel (K ¨UHNE, 2006).

As described by Mellor et al. (2004) a metamodel details the structure, the semantic, and the restrictions of model families, i.e., model groups that share syntaxes and semantics. In this way, a metamodel describes a precise definition and the required rules to create semantic models, and its structure defines the relations between the model’s elements.

2.1.2 Model Transformation

The model transformation represent the automated model’s generation, where based on source model a target representation is provided. This activity describes an important role of the MDE scope (KLEPPE; WARMER; BAST, 2003). The OMG defines the model transformation as a translation process between models in the same system (OMG, 2003). Baudry et al. (2006) on the other hand, describe the model transformation as a kind of language relation.

The definition of a set of rules is required for the transformation process. These structures detail how the source model is translated into an equivalent representation in the target language. The definition of transformation rules defines the way that one or more structures on the source language are represented in the target representation (KLEPPE; WARMER; BAST, 2003). This process is exemplified in the Fig. 3, that represents a top view description of this process, and detail its concepts and relationships.

Figure 3 – Model Transformation Overview

Source: Eclipse (2006).

The transformation process is composed of a source model Ma,

which must comply with its metamodel MMa, that will be transformed

into a target model Mb, and the target model must comply with its

metamodel MMb. The transformation is defined by the use of a

transformation model Mt, which must comply with its transformation

metamodel MMt. The source and target metamodels (MMa and

MMb), joined with the transformation metamodel (MMt) shall be

in conformity with an metametamodel MMM (ECLIPSE, 2006). The transformation is composed of a set of mapping rules to guide the process. By rules usage, the source model components

are related or mapped with the target model components. These rules define mapping standards, specifying relations between different metamodel elements. The identification and characterization of these relations between elements is defined as a mapping scheme (RAHM; BERNSTEIN, 2001).

Lopes et al. (2006a) describes that the mapping provides relations between source and target models, where the target model elements represent the same structure and semantic as the source model. This mapping establishes different relations between elements, and defines one to one relations, one to multiple, and multiple to one. One-to-one mappings (1:1) represent that one element from the source model is directly mapped to one element from the target model, and they have the same semantic. On many-to-one mappings (n:1) a set of source elements represent the same semantic of one element to the target model, i.e, a target element represents the characteristics and semantic of a set of source elements. Finally the one-to-many mappings (1:n) describe the representation of one element from the source model for a set of elements from the target model, i.e a set of target elements are required to represent the same semantic of an element from the source model.

Based on the MDE principles and aiming to support the CPS design process, different languages and tools have been proposed over the last year. These structures usually provide a design environment and a set of components, providing means by which to detail the application characteristics.

2.2 TOOLS AND LANGUAGES APPLIED TO CPS DESIGN

As described in the introduction (Chapter 1) the CPS applications are composed of a set of complementary models, that detail the application characteristics. Regarding the generated models produced during the design process, at least three different representations are provided, defining the functional characteristics (Functional design), the architectural aspects (architectural model), and the system formal evaluation of its set of properties (Formal verification).

Regarding the heterogeneity applied to these models, usually it’s difficult to represent all the system characteristics using just one language or tool. In this way, different model languages and tools can be applied to represent the application characteristics. The design process

is usually started by performing the functional modeling, as described by Lee & Seshia (2015). The authors define these representational designs in order to specify the system dynamics. In this way, a set of mathematical expressions are created to represent the application behavior. Based on this behavioral description, control approaches may be proposed, guiding the system according to the imposed requisites.

Jensen, Chang & Lee (2011a) define functional modeling as the process to represent the physical characteristics to be controlled, i.e. models that specify the real system properties by using mathematical expressions. By using this representation control algorithms are defined, and hardware components can be specified, as well as making the evaluation of the designed subsystems a reality.

On the other hand, Alur (2015) states that the functional model is composed by an architecture that aims to support the control system design, being composed of a control system and the physical plant. The control system sends its references in this environment, and the physical plant representation returns the set of system states according to the received inputs.

In this context, aiming to properly represent the application characteristics, different tools should be applied to the functional modeling such as Ptolemy (BERKELEY, 1999), VisualSim (MIRABILIS, 2018), MATLAB/Simulink (MATHWORKS, 1994), among orders. These tools provide a set of components that support the representation of the system properties.

The Ptolemy project aims to provide an environment aimed at design and evaluation of concurrent systems, real-time systems, and embedded systems. By using an open framework the authors propose an actor oriented approach, that has been in design since 1996. The actors are defined as software components that runs concurrently exchanging information by using communication ports (PTOLEMAEUS, 2014).

The proposed environment provides a hierarchical system construction, where the actors are interconnected by the use of communication ports. These structures are managed by a director component that is responsible for implementation of the model of computation (MoC) . The MoC details how the application runs, supporting the behavioral representation (BERKELEY, 1999).

Different MoC are supported on Ptolemy such as discrete events, data flows, reactive synchronous, continuous time model, among others. By using the hierarchical approach, each level can have a director, and different MoC can be applied to its directors. In this way, the

framework provides a means for combining different MoCs in the same project, by using different directors. By using this structure hybrid systems can be designed, providing a means to simulate and evaluate these systems.

The VisualSim is proposed as a modeling and simulation software applied to perform the systems engineering exploration of performance, power and functionality. By the use of a proposed environment, users can construct debug, simulate, analyze their specifications. The systems are built by using a graphical interface that creates the design process with a set of blocks (MIRABILIS, 2018).

The pre-defined blocks have been optimized for simulation performance, and pre-compiled to reduce development time. Custom components can also be created by combining blocks with scripts written in VisualSim Script language.

By using VisualSim interface the user can evaluate logic flows, check the operation correctness, debug, validate requirements and optimize the system to meet the requirements. The designed models can combine different abstraction levels, and different models of computation. VisualSim contains three different simulators describing the timed computation, the untimed digital, and the continuous time. Another tool widely applied to functional modeling is the MATLAB/Simulink, that provides an environment to design, simulate, and validate the CPS systems. Considering that this tool was applied to this thesis scope, a section was created to represent this tool’s characteristics.

2.2.1 MATLAB/Simulink

MATLAB is a high-performance design and evaluation tool, and its resources enable the representation of different system characteristics. Designed by MATrix LABoratory at the end of 1970, this tool has been widely applied to represent applications characteristics by using mathematical expressions (MATHWORKS, 1994).

A set of extensions are provided by the tool, these components enable different functionalities representation, and the integration with external tools. This set of extensions include the Simulink tool, where the designer can perform the system specification based on a block diagram structure (MATHWORKS, 2018).

represented such as: linear and nonlinear, continuous time, discrete time, and mutivariable systems. Its design environment provides a means to specify the system’s properties, and simulate these systems, which are usually composed by heterogeneous representations (MATHWORKS, 1994).

The Simulink structure is composed of a set of blocks responsible for implementation of different functions application model construction. Its graphical interface supports the design process and allows the hierarchical applications to be built, defining abstraction levels and making block connection easier (MATHWORKS, 2018).

The implemented Simulink blocks are considered as black boxes, i.e., the designers ca only change the set of configuration parameters, but not its functionality itself. However, the tool provides the user with blocks, where the designer can write their own code and integrate it with the existing blocks. A set of inputs and outputs are attached to each Simlunk component, that coupled with a set of internal states defines the relation between received inputs and produced outputs.

Regarding the Simulink hierarchical approach applied to the applications design, different abstraction levels can be added. In this way, the complex system can be specified in a set of subsystems, increasing the application details. By the use of Simulink block its also possible to perform the interface between the designed model and external tools, allowing for example the design of simulation environments.

Besides the functional modeling the CPS design process includes the representation of the architectural characteristics, by using an architectural model. This representation define aspects that provide the integration between software and hardware elements.

As described by Feiler, Gluch & Hudak (2006) the architectural modeling process is defined as the structural software representation applied to support the system execution, as well as this it allows the integration between hardware and software components. By the use of this representation the required execution characteristics are defined, and a set of system properties evaluation allowed.

Based on the architectural model, system properties can be evaluated ensuring characteristics such as scheduling, latency, weight, power consumption, among others. These analysis allows the designers to evaluate if the defined architecture is capable of supporting the designed application. By the use of this model, software characteristics are defined, specifying properties such as support of control execution and device interface (ZHAO; MA, 2010).

Regarding the design of architectural models different languages can be applied to detail the application aspects. In this sense, AADL has been widely used to design these representations.

2.2.2 Architectural Analysis Design Language - AADL

The Architectural Analysis Design Language was designed by The Society of Automotive Engineers (SAE) in 2004 (SAE, 2015). This language was proposed with the aim of being a standard devoted to modeling and designing avionic, aerospace, automotive and robotics applications (FEILER; GLUCH; HUDAK, 2006).

The AADL notation is based on a set of components that describe the system characteristics. By usage of modeling tools the designers can create, analyze, validate real time applications, and perform the code generation for the embedded platforms. The architectural models integrate hardware and software components, describing their characteristics and connections (WANG et al., 2009).

The designers may choose to perform the system representations by using textual, graphical, or XML files. These inputs are supported by the AADL and provide a means by which to express the system properties, helping integration with other tools. The AADL standard provides a hierarchical structure, organized by package usage. These packages provide a means for system specification to be composed of hardware elements (devices, buses, platforms, among others), and software structures (processes, tasks, function calls). By the use of software and hardware structures the system properties are detailed, and the component’s integration is represented (ZHAO; MA, 2010).

The set of resources covered by the AADL are described in Fig. 4, being organized essentially into three categories software, hardware, and composition elements. The software elements (Application Software) describe the informational structure representation, i.e. the set of elements that provide the application structure allowing for its concurrent running (FEILER; GLUCH, 2012).

The hardware elements (Execution Platform) detail the physical components. By the use of these, structural properties related to the real hardware are defined, and based on these characteristics properties can be evaluated and validated such as scheduling, flow latency, memory usage, weight, power consumption, among others. The compositional elements (Composite) are included to support the hierarchical representation. By the use of these components the system

Figure 4 – AADL Components.

Source: Feiler & Gluch (2012)

is described as a set of systems. In this way, the generation of independent systems integrated into the application is allowed.

The AADL components are specified based on a set of properties, applied to detail the system characteristics. These properties are summarized in Fig. 5, providing an overview of the relations between components and properties.

As defined in the AADL standard, each component is classified according to category type, represented by component declaration, where the general characteristics are defined. These declarations should be instantiated by the definition of a component implementation. These structures improve the components declaration, providing more information related to component properties.

Regarding component declaration, these structures support the representation of different properties such as input and output ports, subprograms, data flow definition, among others. On the other hand, on the implementation component characteristics such as connections, and operation modes can be described.

The AADL language can be extended by the use of extension paths called annexes. In this way, different properties can be added to architectural representations, in order to detail properties such as behavioral and error characteristics. The extension provided by the behavioral annex enables the representation of the system behavior characteristics, defining properties like its operation modes. On the other hand, by using the error annex, the designers can represent

Figure 5 – Relations between AADL components.

Source: Feiler & Gluch (2012).

the performed behavior in case of failure, aiming to detail the error propagation and cover aspects of architecture reliability.

Aiming to support the system property evaluation, the AADL support the design of system instances, that represent an architectural scenario. By the use of instances the designers can evaluate system properties, ensuring that the designed application meets its restrictions. Regarding the architectural model design, different tools can be applied to represent its aspects, such as the TOPCASED (FARAIL et al., 2006), and Osate 2 (SEI, 2005). These tools provide a means to represent the architectural characteristics to integrate software and hardware components.

The TOPCASED project is an open-source environment designed to support the modeling process of embedded critical systems. Its structure is based on the eclipse environment, providing a set of tools to support the models construction (FARAIL et al., 2006).

This tool is not only a set of features to provide the integration of different components such as communication, specification, behavior, and architecture in real-time or statical, but is also a set of standards proposed to guide the embedded systems design process. The TOPCASED environment supports the hardware and software specification from design to implementation.